Bottom Line: A Windows vulnerability allegedly patched in 2020 (CVE-2020-17103) can still be exploited on current systems for privilege escalation, and the exploit has been publicly released.
A researcher published a working exploit for a Windows privilege escalation vulnerability named “MiniPlasma” that grants attackers full system rights on updated Windows systems. Microsoft claimed to have patched this vulnerability in 2020, but the current exploit demonstrates that the flaw still exists.
A researcher under the pseudonym Chaotic Eclipse published source code and compiled exploit on GitHub for a vulnerability in the Windows Cloud Filter driver “cldflt.sys”. The affected routine is “HsmOsBlockPlaceholderAccess”, which was originally reported to Microsoft in September 2020 by James Forshaw from Google’s Project Zero Team and assigned the identifier CVE-2020-17103. Microsoft stated that it patched the issue in December 2020.
Chaotic Eclipse reports that the identical vulnerability remains unchanged and still present according to their own testing. The original proof-of-concept from Google works without modifications. BleepingComputer confirmed the functionality on a fully patched Windows 11 Pro system with the latest May 2026 updates: after executing the exploit with a standard user account, a command prompt with SYSTEM privileges could be opened. Will Dormann of Tharros also confirmed functionality on Windows 11, but noted that the exploit does not work against the latest Windows 11 Insider Preview Canary version.
The exploit abuses how the Cloud Filter driver processes the creation of registry keys via the undocumented CfAbortHydration API. Forshaw’s original report described that arbitrary registry keys in the DEFAULT user hive could be created without appropriate access checks, enabling privilege escalation.
MiniPlasma is the third in a series of Windows exploits that Chaotic Eclipse published in recent weeks: in April came BlueHammer (CVE-2026-33825), then RedSun, and the Windows Defender denial-of-service tool UnDefend. All three were subsequently used in attacks. In May came YellowKey and GreenPlasma; YellowKey circumvents BitLocker on Windows 11 and Windows Server 2022/2025 and grants access to TPM-only-protected drives.
The researcher justifies the public releases with criticism of Microsoft’s bug bounty and vulnerability handling process. According to their account, Microsoft threatened them in a personal exchange, which prompted the protest publication.
Source: ainews-dev.lumi-systems.io · Published 18 May 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.5.2.